STIX Shifter sometimes Silently Ignores Unmapped Properties in Complex Querie #1716
Comments
|
In case anyone finds it useful, I think |
|
Hi, I am wondering if you are using the "unmapped_fallback" option that most stix_shifter modules should have support for. Should look something like
This sounds like what you are looking for. Can you give that a shot a let me know if that helps? |
|
Thank you for your response. I'm sorry I forgot to tell that I already tried it. When running this command I still get the same result with no error message or any indicator that a part of the query was unmapped : |
|
Ah, yea I see the issue. This seems like a valid issue. Right now the code is already compiling the invalid mappings, but it only outputs it if there is no valid query. There is an easy solution to this to simply expand the error handling to always display the unmapped fields/operators. However a more correct solution would likely be to validate the mappings and fail the request if an unmappable operator/field is provided. At the moment I have other priorities, but if I get a chance I (or someone else) can take a look into implementing it. |
|
Thanks for acknowledging the issue. |
|
For the time being I have introduced a warning message that should now appear when there are unmapped fields in the query. It's not a perfect solution as it doesn't validate the whole query (just the mapping and operators) but it should work. I've left it as a warning instead of throwing the exception as some users may be used to the way it was working. However the warning message does tell you which mappings were invalid and were being ignored. You can see the PR here |
Describe the bug
When a STIX pattern contains a mix of mappable and unmappable properties, STIX Shifter translates and executes the query without raising an error, even though parts of the query will have no effect due to the missing mappings. This can lead to incomplete or inaccurate results.
To Reproduce
stix-shifter translate elastic_ecs query {} "[windows-event-log:event_id = '4726'] AND [user-account:account_login = 'admin']" "{"validate_pattern":"true","time_range":1000}"
Expected behavior
STIX Shifter should:
Throw an error: Clearly indicate that a portion of the query cannot be mapped to the target data source just as it does when trying to translate with a query that is only using the unmmap properties.
List unmapped properties: Ideally, the error message should specify which STIX objects and properties could not be mapped.
Desktop (please complete the following information):
Actual behavior
INFO Converting STIX2 Pattern to data source query
{
"queries": [
"(user.name : "administrator" OR user.name : "admin") AND (@timestamp:["2024-07-28T18:59:21.845Z" TO "2024-07-29T11:39:21.845Z"])"
]
}
Impact
Incomplete Results: Users might unknowingly retrieve incomplete data, as the unmapped filter criteria are not applied.
Difficult Debugging: The lack of error messages makes it challenging to identify and troubleshoot mapping issues, potentially leading to wasted time and effort.
Additional context
This behavior makes it difficult for users to trust the completeness and accuracy of translated queries. Enhanced error reporting and handling of unmapped properties are crucial for improving the reliability and usability of STIX Shifter.
The text was updated successfully, but these errors were encountered: